Malware hunters catch new Android spyware for governments in the wild

A group of malware hunters has caught a new Android spyware in the wild. The spyware is marketed to governments and police forces and was made in Italy—but it wasn’t built by the infamous surveillance tech vendor Hacking Team.

On Monday, researchers released a technical report on a new type of Android malware designed to surreptitiously record video and audio, turn the GPS on and off, steal data from the phone and take screenshots, among other functions—”run-of-the-mill, boring, commercial spyware junk,” as one of the researcher put it in the report.

What’s interesting is that the researchers said the spyware infected a victim working for a government, and they suspected it was made by Hacking Team. But in reality, the spyware was likely made by another Italian company, who hasn’t gotten much public attention yet. The prime suspect, has learned, is a small startup based in Naples called Raxir. The spyware contacts a command and control server that uses an SSL digital certificate that contains the string Raxir in it.

Raxir is a surveillance firm that is housed at the “Citta’ Della Scienza” in Naples, a tech startup incubator. According to the company’s page on the incubator’s website, Raxir was founded in 2013 and produces software systems to support legal and intelligence investigations. The company wrote in that page that it has customers in government and law enforcement, and that the use of its software is “reserved” for those entities, “at the moment” within Italy. (Raxir did not answer to a request for comment sent to its public email address.)

Two former Hacking Team employees, who reviewed the report, said they were certain the malware wasn’t from their former company. “The sample has nothing to do with Hacking Team,” said another source, a security researcher with experience analyzing the company’s malware, who requested anonymity. “It’s structurally different from the ones attributed to Hacking Team and doesn’t share any part of the code.”

Bill Marczak, a researcher at Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs, agreed that this sample is almost certainly not from Hacking Team. Marczak said in an online chat that the the spyware’s infrastructure isn’t linked to Hacking Team’s, which he has been tracking for months.

Marczak also scanned the internet for traces of Raxir and found another server, whose digital certificate contains the string: “ProcuraNapoliRaxirSrv.” “The Procura di Napoli” is Naples’ office of the prosecutor, presumably a customer of Raxir. Tim Strazzere, the independent researcher who analyzed the malware, said he couldn’t reveal who was targeted by it, but he or she works for a government, and there’s an ongoing criminal investigation into the incident.

More than a year after the devastating attack on Hacking Team, which exposed practically all the company’s internal emails, as well as the source code of its tools, new companies are popping up to fill the void. Raxir is just another one of those, and just like Hacking Team, and another little-known firm called RCS Lab, it’ based in Italy. As one Italian security researcher once jokingly tweeted: “Italy: Spaghetti, Pizza, and Spyware.”